d2ccd32d90717efd9c6ded73ccf0c96134f258752a2e6ec198ea3de0aa7f8aa3

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
Size

6.1MB
MD5

43a921f89cef249ab663633bbc741f82
SHA1

5de1d8501524a74e182c9633984c8bf91d750622
SHA256

d2ccd32d90717efd9c6ded73ccf0c96134f258752a2e6ec198ea3de0aa7f8aa3
SHA512

8fac6c1366c75b51b993a04f3a0700569795924bec8113b215a322c14d87a869f2d0dffc793dd911a698ae13e73d90ab64370342f2ed8995ff84d18cbf734625
SSDEEP

98304:bihyoPgbIAQEHY3N3sNfxLlC1DxeGqrEr:aDRsNZUDxeN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2948	alg.exe
2596	aspnet_state.exe
2712	mscorsvw.exe
2428	mscorsvw.exe
1548	mscorsvw.exe
764	mscorsvw.exe
1720	ehRecvr.exe
2760	ehsched.exe
988	elevation_service.exe
1992	IEEtwCollector.exe
1996	GROOVE.EXE
1016	maintenanceservice.exe
2360	mscorsvw.exe
2028	msdtc.exe
1520	msiexec.exe
2600	OSE.EXE
2880	mscorsvw.exe
1644	OSPPSVC.EXE
1864	perfhost.exe
888	locator.exe
2568	snmptrap.exe
1260	vds.exe
2648	mscorsvw.exe
2768	vssvc.exe
2012	wbengine.exe
2368	WmiApSrv.exe
2900	wmpnetwk.exe
1980	SearchIndexer.exe
1600	mscorsvw.exe
2884	mscorsvw.exe
1056	mscorsvw.exe
3048	mscorsvw.exe
2320	mscorsvw.exe
1396	mscorsvw.exe
1684	mscorsvw.exe
876	mscorsvw.exe
1940	mscorsvw.exe
3056	mscorsvw.exe
1640	mscorsvw.exe
1620	mscorsvw.exe
2956	mscorsvw.exe
2056	mscorsvw.exe
976	mscorsvw.exe
1944	mscorsvw.exe
2344	mscorsvw.exe
2756	mscorsvw.exe
2936	mscorsvw.exe
2492	mscorsvw.exe
2584	mscorsvw.exe
1728	mscorsvw.exe
884	dllhost.exe
2484	mscorsvw.exe
3068	mscorsvw.exe
272	mscorsvw.exe
2636	mscorsvw.exe
2532	mscorsvw.exe
2044	mscorsvw.exe
2776	mscorsvw.exe
2632	mscorsvw.exe
2096	mscorsvw.exe
268	mscorsvw.exe
1912	mscorsvw.exe
2584	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1520	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
752	Process not Found
480	Process not Found
2532	mscorsvw.exe
2532	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
928	mscorsvw.exe
928	mscorsvw.exe
2072	mscorsvw.exe
2072	mscorsvw.exe
1776	mscorsvw.exe
1776	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
276	mscorsvw.exe
276	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2484	mscorsvw.exe
2484	mscorsvw.exe
1672	mscorsvw.exe
1672	mscorsvw.exe
2548	mscorsvw.exe
2548	mscorsvw.exe
596	mscorsvw.exe
596	mscorsvw.exe
532	mscorsvw.exe
532	mscorsvw.exe
2840	mscorsvw.exe
2840	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31aecdb7bfe435d8.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9ECF.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPADDC.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA573.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP97CD.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1E4A.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3AFE.tmp\ehiActivScp.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDE4E.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000900b33306475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000900b33306475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000902c6c306475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070b0cc2f6475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003068be2f6475da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2604	ehRec.exe
2596	aspnet_state.exe
2596	aspnet_state.exe
2596	aspnet_state.exe
2596	aspnet_state.exe
2596	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1776	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
Token: SeTakeOwnershipPrivilege	2596	aspnet_state.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: 33	772	EhTray.exe
Token: SeIncBasePriorityPrivilege	772	EhTray.exe
Token: SeDebugPrivilege	2604	ehRec.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: 33	772	EhTray.exe
Token: SeIncBasePriorityPrivilege	772	EhTray.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeBackupPrivilege	2012	wbengine.exe
Token: SeRestorePrivilege	2012	wbengine.exe
Token: SeSecurityPrivilege	2012	wbengine.exe
Token: 33	2900	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2900	wmpnetwk.exe
Token: SeDebugPrivilege	2596	aspnet_state.exe
Token: SeManageVolumePrivilege	1980	SearchIndexer.exe
Token: 33	1980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1980	SearchIndexer.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeDebugPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe
Token: SeShutdownPrivilege	1548	mscorsvw.exe
Token: SeShutdownPrivilege	764	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
772	EhTray.exe
772	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
772	EhTray.exe
772	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe
2820	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2360	764	mscorsvw.exe	43
PID 764 wrote to memory of 2360	764	mscorsvw.exe	43
PID 764 wrote to memory of 2360	764	mscorsvw.exe	43
PID 764 wrote to memory of 2880	764	mscorsvw.exe	47
PID 764 wrote to memory of 2880	764	mscorsvw.exe	47
PID 764 wrote to memory of 2880	764	mscorsvw.exe	47
PID 1548 wrote to memory of 2648	1548	mscorsvw.exe	53
PID 1548 wrote to memory of 2648	1548	mscorsvw.exe	53
PID 1548 wrote to memory of 2648	1548	mscorsvw.exe	53
PID 1548 wrote to memory of 2648	1548	mscorsvw.exe	53
PID 1548 wrote to memory of 1600	1548	mscorsvw.exe	60
PID 1548 wrote to memory of 1600	1548	mscorsvw.exe	60
PID 1548 wrote to memory of 1600	1548	mscorsvw.exe	60
PID 1548 wrote to memory of 1600	1548	mscorsvw.exe	60
PID 1548 wrote to memory of 2884	1548	mscorsvw.exe	61
PID 1548 wrote to memory of 2884	1548	mscorsvw.exe	61
PID 1548 wrote to memory of 2884	1548	mscorsvw.exe	61
PID 1548 wrote to memory of 2884	1548	mscorsvw.exe	61
PID 1548 wrote to memory of 1056	1548	mscorsvw.exe	62
PID 1548 wrote to memory of 1056	1548	mscorsvw.exe	62
PID 1548 wrote to memory of 1056	1548	mscorsvw.exe	62
PID 1548 wrote to memory of 1056	1548	mscorsvw.exe	62
PID 1548 wrote to memory of 3048	1548	mscorsvw.exe	63
PID 1548 wrote to memory of 3048	1548	mscorsvw.exe	63
PID 1548 wrote to memory of 3048	1548	mscorsvw.exe	63
PID 1548 wrote to memory of 3048	1548	mscorsvw.exe	63
PID 1548 wrote to memory of 2320	1548	mscorsvw.exe	64
PID 1548 wrote to memory of 2320	1548	mscorsvw.exe	64
PID 1548 wrote to memory of 2320	1548	mscorsvw.exe	64
PID 1548 wrote to memory of 2320	1548	mscorsvw.exe	64
PID 1548 wrote to memory of 1396	1548	mscorsvw.exe	65
PID 1548 wrote to memory of 1396	1548	mscorsvw.exe	65
PID 1548 wrote to memory of 1396	1548	mscorsvw.exe	65
PID 1548 wrote to memory of 1396	1548	mscorsvw.exe	65
PID 1548 wrote to memory of 1684	1548	mscorsvw.exe	66
PID 1548 wrote to memory of 1684	1548	mscorsvw.exe	66
PID 1548 wrote to memory of 1684	1548	mscorsvw.exe	66
PID 1548 wrote to memory of 1684	1548	mscorsvw.exe	66
PID 1548 wrote to memory of 876	1548	mscorsvw.exe	67
PID 1548 wrote to memory of 876	1548	mscorsvw.exe	67
PID 1548 wrote to memory of 876	1548	mscorsvw.exe	67
PID 1548 wrote to memory of 876	1548	mscorsvw.exe	67
PID 1548 wrote to memory of 1940	1548	mscorsvw.exe	68
PID 1548 wrote to memory of 1940	1548	mscorsvw.exe	68
PID 1548 wrote to memory of 1940	1548	mscorsvw.exe	68
PID 1548 wrote to memory of 1940	1548	mscorsvw.exe	68
PID 1980 wrote to memory of 2820	1980	SearchIndexer.exe	69
PID 1980 wrote to memory of 2820	1980	SearchIndexer.exe	69
PID 1980 wrote to memory of 2820	1980	SearchIndexer.exe	69
PID 1980 wrote to memory of 1436	1980	SearchIndexer.exe	70
PID 1980 wrote to memory of 1436	1980	SearchIndexer.exe	70
PID 1980 wrote to memory of 1436	1980	SearchIndexer.exe	70
PID 1548 wrote to memory of 3056	1548	mscorsvw.exe	71
PID 1548 wrote to memory of 3056	1548	mscorsvw.exe	71
PID 1548 wrote to memory of 3056	1548	mscorsvw.exe	71
PID 1548 wrote to memory of 3056	1548	mscorsvw.exe	71
PID 1548 wrote to memory of 1640	1548	mscorsvw.exe	72
PID 1548 wrote to memory of 1640	1548	mscorsvw.exe	72
PID 1548 wrote to memory of 1640	1548	mscorsvw.exe	72
PID 1548 wrote to memory of 1640	1548	mscorsvw.exe	72
PID 1548 wrote to memory of 1620	1548	mscorsvw.exe	73
PID 1548 wrote to memory of 1620	1548	mscorsvw.exe	73
PID 1548 wrote to memory of 1620	1548	mscorsvw.exe	73
PID 1548 wrote to memory of 1620	1548	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2712

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d0 -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 25c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 23c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1d0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 264 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d0 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d0 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d0 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 20c -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 258 -NGENProcess 234 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 260 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 234 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 23c -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 234 -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 264 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 26c -NGENProcess 280 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1ac -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 234 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 29c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 278 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2a8 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 278 -NGENProcess 2a4 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 258 -NGENProcess 2c8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a0 -NGENProcess 2d0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c8 -NGENProcess 2e4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2e8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2ec -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e4 -NGENProcess 2d4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 10c -NGENProcess 308 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d4 -NGENProcess 10c -Pipe 108 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 10c -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 10c -NGENProcess 2d4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 35c -NGENProcess 358 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 350 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 1a4 -NGENProcess 344 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3052

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1720

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:988

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1992

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2600

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1436

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
c8689fab750d5afbf65d1c40823b4cb4

SHA1
bbace2cdcd9cd3bf8f79106fc259ed8602bb4f23

SHA256
6778e6f37d023c65a312fccbc1038af559ab50febfa0161f84aa7287a1d342eb

SHA512
4b99060ce87f2cc670e2db8a5868f74fb824f9990cc73f2d18fcfa00820c31b354ad701a3e9a918077f430f9f99707f4195f93807db829cf32e3911035820802

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
10.4MB

MD5
bae358b1551417fbb218108b983451ff

SHA1
f238a68d4a3ca4e47287b3cec5a9705f895c152e

SHA256
0383774b170b3bde8ee60f4ed994432895a6cb5ec5c88a27bf08e1d2bcca7276

SHA512
ae349e9aa58f6a86ee26c3c2992c94b0209b64a872b6a140e32bb611618151e0d6ad8172cb23d69c6070e99af52ed6adb68c98e8a91cdb561b4f4dfdf26b6d10

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
de0da169220ef25817ea1d7e1b568096

SHA1
a935d25c93765b5ac28be0291d784e602d0a02f8

SHA256
ed1da10ad8c269f30c5ddedf48915351fe3c405e40d8a8931b42a8c8319e1b5d

SHA512
b71ecbb7868139be6733d116933c53bb55646af13265f14b08f6f9ab84663cb59e3ac76d5a5692e4b19cc96859bc4ba00f24f4ead0c4e0d0e49534b191b38112

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
3.5MB

MD5
dc09133882ffc1aeb2649bb0935346e9

SHA1
1c4e3d6f60ac8e6e5aa3e8c8ed872d0dcd8ecdec

SHA256
55687c64519f1b7c0933c0f16de1d6f9421783e029f077cd5a06bb8815329fc1

SHA512
1c7a798ac50d6b6b01ea510b4f2459c6ba8a560c6b3bf7a93db1a7af9981f86e7980c11818a86d5924acab4145fd1399e289585e628be1b1d5c337c880608192

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2784d1fca225c80054bbb471950a456a

SHA1
bf9e942ac6880088d8f0a3bbb815cfecfda784ab

SHA256
b87231c95c3fcdc1ccf00ebd243bfd0e6349f434c7b487823b76fd0241733ad6

SHA512
87e27d7eae06adc5bab498d45a097974bcd51dabf277ba526e274350c7ba2256aee65dfd3672783cfc8de3571f3a461b19123a17cbd110e3cba850a73166fd18

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
86f9ea1f543ed9ad5c957988a75bfca9

SHA1
cf70699e5d2d14385b9e194ed8e4d97ae9fae718

SHA256
fc48be2f19f2a58f4628ceed62e509aa14a84cfef15a9f3170e85202c9f96001

SHA512
24066285e1fa84bf59b0a4a6757660c102451a525edf057c28415f43f7abec2fde2b30346a661e19fdc4f83468c85ee43db80a196b2ed452b58e259f53984b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
c22b21b5282594594c2e184068ecf8fc

SHA1
5d10fd3eb2321dad1b8ecca1e7afdae01ca5edaf

SHA256
3c2a7890d42cbee3170a89db2b6a04092991c1fbc0d961787fe397ba2dda1404

SHA512
4271c2b0d5019eda6dadc18105685604b64ee49e4f8492a9798daabe0ba4ec2accca09c10eb25a7172c25d839815021648d235ac946ca272f95f2025c630d95d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
5e2d3c555ef923e39c736ba85f20a3df

SHA1
816ff526c033a5bdec25933ecad3fec9da5f55d1

SHA256
873ac3d5f6f46de5642a7a257764af183b05ebf076cd2a1369c819025a694d6b

SHA512
ada05d58841b78f4e3389582363a5b8de28b9cfa9c93f11926dcf5c2c20a69f166d8e4257e23c09d2f6f397f22a1c959eda2d467debf6eb5cfcac9c2ec65fc50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
ab3a04fedbcaaae75899149aa2063330

SHA1
2dfca5dccf219e11d67f40c217c6cfd0c05ffd05

SHA256
70710e8f741621cd2ea3db78e451df9b6a6600a5d5d8bd483125e293cda271c9

SHA512
8f8a46d7018b3d061bcdbd4843c9969d4d11dff28c91437a5c6f8f9a985aa67ddf8062162a91cee39d4db77e623205b7321df255c965e286640d6b422a621ad3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
6c7caf1f46feeacc0a4050773bad13f5

SHA1
89330400ba473e61f02539b002ebb8b52cea34ab

SHA256
cf7f2cdbc3c03b2ae918f8216429ba4611a0ef153d04964e3c9ef950e5c2c785

SHA512
078c1ad3f4afbda5db51065af4e871ef2a007c4dd2f471381edbff966a7a5e26503764fc6fa1dd38d55ef65a1511fe3ac0b55fea9ac3a0cf95474628ae79b058

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
cb12db9e234af6f88b23fd3506c508d1

SHA1
c5e41c4bd872e61fa4ef94519657615fa7edfa92

SHA256
8de0188632d55c2f6035ceed1ee87a5f3a9cca03ff51defe4b692680eb85a581

SHA512
4268b1447985f4f787dfcbe75dc455b0caaa77c03ff880d2ec26968204aae0a8f3dd2c1dd14d133c2ff79e77190ca268fcba3cf7d789e2411da1403cd6a753fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
72588b9970bd4b41b0dea7685b326544

SHA1
8e29f43b7252554dc5f492553a6dad57d0f95820

SHA256
55f7a69a5192d41a814e1cc7bdfc701baa919b742d182378328536c77fef1965

SHA512
5fc0bf8c054e980025433163cfdc8cb7a50bff83f79e57ca11cd39f5483d5d19ceccf8fee84621e0614f273fdf0a654f1bdaf04ca3cfb2058f2cd11828cc8a97

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
2a43752d92ca419491e1c092a4b43f0b

SHA1
de8b1493ff13ae3717d44144106a9dbcef3cbae5

SHA256
41eea96299f0920b6b0c25cc47cfb8546ac40ac39eab39ecf8f86ea675f82a30

SHA512
3856e0a6d504a6b7139fee04b989dfbf108db9150c0a4fef6b61a34081d841af767bb3d3254dc12e9591e4becae37a1e500e63c9f7dcf980381335f6f1204675

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
15d9bf337e727676805a9e6096c8cb7a

SHA1
b0ce78dff5b6abc5bb4047773b1833b97c7eaad7

SHA256
c7f777e4d8969693ce0c0292fb8929a9176ebc3811d961233418988ebd340f5d

SHA512
82149bdaaed059e2db60920b2ba1792e4252d03f93a6c1da000f01dd879e8d215ecc4fdd0f801ac57c71eb46cc90dfa26fdd0c746b4705b17eab49f42fae8055

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
19f4bda37fed515e729448552a835ab1

SHA1
2413711e05f2c1e3ecbf43a06029ed3695bedee3

SHA256
ec686095821d72148926b6a57444f8f25ba9bae0094df465b7b5cf3e2cdbcd23

SHA512
7e5bad74e84476ffa4948d7e361ca6f1a7d52a8ace648cf14ccf7b011b3e5adc85bb2ddd44367121289fb09b0b47cd40d5ae18d5f4ba516597d24be0c711ae55

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
eac79cbc541bdbef1ceb57b885e84c4c

SHA1
5b987c20dc534755ddfcfccfa74db390710fde18

SHA256
834126b97473519ba80740c226617f5d0f7aa3672af2920d7c828cf8563a73e5

SHA512
b49973b7eeb862cf5e77d6a96135ddb04474dc8ad4fb5e5582f2c877dbe7454fd7f79f811a7c60da62a0adda1b62a46a4c4ede8bbb1e287a2581359412977df7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
733025c0e6ddf717c0c74d843c19ad58

SHA1
5844a3abe7391ee1a2e78faf988d1caaa374103e

SHA256
104cca4c05a78b751d8aa46fd5ce26cd9cd07ac6a958fc9882175a94e5fb5048

SHA512
0b7a2d3759f9d6c813511c878a62088d57a3c1e100a2d88dac5f8f762a5822f4e10c7014e680738ddab45de3d51e1fafa9c397a4bbe2063241813ea2c03be580

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
384KB

MD5
cb1363b446b8a95aa7cf5424f19604b5

SHA1
ae1edbc327973d0065e60fefe65e06daa1b2aa2c

SHA256
3116f1f981289a0f17ba7140a124711cd3aed9804d8995c9a12e9edb6d40fe59

SHA512
c61fef6d229d3f4f540173f2671325d516d5f9f2717e3187d55d0afdaf15d31ac16d4513fb8324e0292be56b0cafe9decf99247c6c3895ee65952ef9d8944c81

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
b5505cf48e739997b9016fe59add5f04

SHA1
e80bf3d5e0e4f17a6c5c44ef99767133cab0fb1a

SHA256
78bf2efa8226384ff1f9a9e66931ceaf45c9450b56af01721360a11331ed828e

SHA512
892e5bb2ae93175ed443a5d333c624566f729db0cd2cde701f6c27be110d67e7089726f5f802603604b4166f105b480dd684990186cadc441d2616492dd5f1d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
595692627f2d5f1db55fafb3d128ee92

SHA1
69faabca5025c836e962c1ef3d46be0d1f6b8628

SHA256
ba2343d42815223b737bd44e7a0139cb8e2443b1d8eb623dbf3b912584ecd106

SHA512
8232a24d525f663b447038317c5485607844c16d84a1f51b2a2a3d53d87ce5913af6c247ba85355c084cc3914ec4f07bc50b2c679f610d32030feaedb8d45ee9

Download Submit
C:\Windows\System32\vds.exe

Filesize
896KB

MD5
dbc735b1efdb3b9017cb68348626b03c

SHA1
b2474f61884ac845a1073d9cb047e34b3b68558d

SHA256
3e91c6f915d82771ce70478417bd746dc50a34d9ca0a76567f759d7445777d8d

SHA512
f14f8d69419557ff763f01600cbd9d88058572efbecbaadd79828103a1c4cee780c419de64dd1c3ac36d740944b2a85a3ca07b1701b01bdbf73b112107b43a2d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
b95321950374201cebd022357d916c14

SHA1
7e93307f9f198546146400f4a0c1cf60369aecff

SHA256
d9ca94999138fc21c33bbce48d25dc72e50bc8e22278ca1141df31d97c849e0c

SHA512
33ba7a57a94dbc18d2da16b768777266f0ec1c8f45624818ef4c4486a799076d64d22b5f6a4ecdb96ab79ded2fa9e20ef85c16eb42a17b4807164e2d4ac6a5cc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
8ded3388029f5d81fdb3dc0450780fb3

SHA1
d1b2484b572fd499e65cd0f533bea1f06ba60df5

SHA256
f3b24de6a8bb6ae9242548007af270e342639b387263c77bb157f6e921c38c3c

SHA512
c6ba9a949a3ebf9a2527fb67d48413f6b03c69d138e259bd13ca047a08812435c84db4bb372cf1dddda530da558c1e41d16367be85d194297a946843415f6d3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3483a87b7385b0e284c32ff0418390be\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
2167bc5a578a79d33b3ac7fb11db0cb5

SHA1
e4ca37d8b35374247e7f34438c086fb7a90bcab5

SHA256
f961032b9e489ad646957c00a94493593866af8d62e56152566583760b14b412

SHA512
429ebaefaf65b7ba4f2b800f1d782b0d3734ec15e321dce0328e54c643a8e958b8e4d18e9afa77c1ec4be7a5faf921d15d7b6ff0cdda5b90441130da2c451004

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5849d056da49fa36b870112a102fbe79\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
04e02512577ce6d60297c5b846821822

SHA1
bf1f6bf601cdb17305b03496165a54a8e1e9b5a7

SHA256
cfabd93f9105ce7383af9e1c5d4068845bb883d0e408b9464c4cbeb8def6e2ce

SHA512
3d3ff842edc9591b63e2718ba95f3de7df730e0e6fa688a006f7be6e07df92a577c15a952eebd5857cdabcb1f989fb982df4ca2be369252a4e488db050342a46

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e0ba15300936967b3bb73f8eb1d96af9\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
3e975db0374321fc7a87f75b8b70ac26

SHA1
3b888706a19a7a6b15f6dd1d83bad40b58293783

SHA256
9aa931b9d9ac2579db0310bf9319249a5c677475813901357d03a3b0f4aad2d2

SHA512
59cc2a31e1bbf6948a87a912cd1b90c43a48a313148159b8d5b2b20adb12c185cdf5e588ead716671e3a149c7d1c53c7cc31e00dbbdc3d6a759bf74bfe4e5346

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e5edfa0f8aedef9437f502bf4e6b0d70\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
f963f515f61f42429fe6c3dbb9c25626

SHA1
92e850a19bd112ba1af2382032ad8cefa4fe8f4d

SHA256
2bdf46c6d4e447856b1b626a20a162a9be5b80addcd455cc552bb6966b430c78

SHA512
f23fa4692ff70604d45421645b937b73698adb0de3daaf5cfa2e916b14fddb77c185f5cd4f7203cf616dc66ab495ce30df4ae9c7da0ada809b34296cb744d785

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
ac55b9ca3de9a9c1a5cce27876f899ed

SHA1
e9f1c3050a2b083c1f9e15b3273dbf2023705631

SHA256
112fb0bebe68699a3ab82355a8bcc05db34b5bd6e9382db6f331ea4ff640c4e7

SHA512
8e45b29b49ac0b4b629d1607eea634c59bf86aa0404e29d559564a5fba0a2f427abdcaa7fb284a2e908125ea14f2890c82c229536175bf9f6351ae2968b9d7a0

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
baaf4b270b69be517c14774554285322

SHA1
a810db0b8c9128cefa4ae11113e39e94bf3aca36

SHA256
07863dd39708d0f55c897d147025de39af367757de219db42e39a157a47ade6c

SHA512
86916650def6b218f6acdbe1542fd6708f71bb064289b89702c2b06584f4c3176dd808e83ff44f340c7e5076bd04e988cf106aa07b15f17b297975f706463581

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
b3a34aff85c0d560c24d9d5017442cbb

SHA1
2e89b779dec7a793fd5ec1738cad12110da8260e

SHA256
e14a9e4d7b41421084c366027b8958b85bf72c08d53a914a554b26b5506687a3

SHA512
d199cbcc09b5c3f74e8e19da6b93a1f8ffe1c31dadc2de92a70f4dc4fd8c112bdc8424e9411f156ba163edc28a62fe752c1185f3cd0cb716b1413fe901cda86c

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
957cc521b8e90379b55533c754843837

SHA1
8c021ed103088ebf32e255efab9652ad362ca025

SHA256
762eecd430960ffa6e9e961b52f0146182cb2f46f64d72f493009be3a24450d8

SHA512
f459d660d7a85148144920340a1e9e5d923d03c37af25b63fa2ebb86edcc9e5336a15d0199ea433a36c2cb2dadc90313b154748efab1e3988bcd520d4811f2bd

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a0796915b7f1715278f8ef7910cb6484

SHA1
122109683deca29fe5c537dde4ec5207e206dca2

SHA256
5e18072ff398c4fc88bcfb159f3283f71cb6e0c6a6639cb20df308530cf78817

SHA512
f21dc33b5b141bf62308efe14f0d73d486796722417171a99dfcfea490584198f17b1ab068f2e50daadc135b2f68cecd10978892889459e21f707cd3129b6b10

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
209a4ee1d7aef87739d5aa06e6bad247

SHA1
9aeb40a912d9ad56c0b910c422b30c65d690adcf

SHA256
ec9d6666384ad9f5c171e3de2d5355f77a1d0fd681391b233f52a461931080b3

SHA512
8b13100e35ce5c9fd86ab5c6ef3b20e4b3d1f429971a7f4c1d2ad3d818180857cd305d2e7912ffb7ac5b3d8179cf0c9b4c86dbe1d3bdc12e1120a71b9a7373db

Download Submit
\Windows\System32\wbengine.exe

Filesize
704KB

MD5
8121a36622b8c2a20e20f03ea4148595

SHA1
49bfa0619eb09b8bbd2bcb447cc05461ee96d26b

SHA256
934dd7398525ea33beedfe644017aca57595905b61052654d9604b5a0a7de075

SHA512
9e7ee422cca5fc6477c92e5b6c976b9757c7485758e971709df66ad3330b3824bf8e224a4d6c799d386edec164569d98758457eeadb8c5a2b8d301cf22a5e7a5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
8b539ea0d2abb043af89f24a316478a3

SHA1
e9af9432a7fc935d224b60ea45b508062d66502d

SHA256
6b8ab6850a96e19742658c8a8749275146d43237e8deb3ca232f39c34f53cb04

SHA512
9bd188fc839b5240766bf77c0e548b56341ed347baacf80e4b55cabb85b5d9f58e4f9460b982424664b6a0adbe1a871f850fa0ca179e46c50c6f77ffa55cdb40

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
12af2d6b0deed73b8524963569cfff5d

SHA1
77a538ab7b82fa5f300c1d90ac36ac6d045b38d8

SHA256
6d36fb19e019eb9eb9fc84955fa502f7bfad9bd14dda2695d1ee6d47cfa372a8

SHA512
e3b9d63fd45e192c21c10a3974041f14ee362357ffb3311553380e8047ee236d02c64b8a2ee6599d1ec216be05049c1fbf1796aaf5681c59a04fe71d39436d64

Download Submit
memory/764-153-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/764-91-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/764-86-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/764-84-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/888-268-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/988-145-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/988-135-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/988-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1016-172-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1016-185-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1016-201-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1016-203-0x0000000000FE0000-0x0000000001040000-memory.dmp

Filesize
384KB

Download
memory/1520-233-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/1520-234-0x0000000000440000-0x00000000004F2000-memory.dmp

Filesize
712KB

Download
memory/1548-74-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1548-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1548-66-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1548-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-241-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1644-266-0x0000000074208000-0x000000007421D000-memory.dmp

Filesize
84KB

Download
memory/1720-106-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1720-162-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1720-190-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1720-131-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1720-114-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1720-107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1776-69-0x0000000000400000-0x0000000000A3C000-memory.dmp

Filesize
6.2MB

Download
memory/1776-1-0x0000000000400000-0x0000000000A3C000-memory.dmp

Filesize
6.2MB

Download
memory/1776-6-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/1776-7-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/1776-0-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/1864-254-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1864-261-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1992-154-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1996-158-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1996-165-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1996-253-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2028-223-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2360-251-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-222-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-192-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2360-249-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2360-250-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2428-46-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2428-82-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2428-51-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2428-44-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2568-271-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2596-105-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2596-17-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2596-18-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2596-24-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2600-236-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2600-225-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2604-197-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2604-146-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2604-150-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-152-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-239-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-231-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-227-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/2712-36-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2712-100-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2712-30-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2712-29-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2760-119-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2760-176-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2760-127-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2760-120-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2880-244-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2880-246-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-278-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2880-277-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2880-243-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2948-92-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2948-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download